Data Protection Impact Assessment
AI-Powered Meeting Transcript Analysis
GDPR Article 35 | Version 1.0 | March 29, 2026
Prepared by: Lamb and Flag TopCo Corp (dba AtlanticM&A)
Data Protection Contact: privacy@atlanticma.com
1. Description of Processing
1.1 Nature of Processing
The AtlanticM&A platform offers an AI-powered meeting transcript analysis feature ("Meeting Intelligence"). When a Customer uploads or pastes a meeting transcript, the system:
- Stores the transcript text encrypted at rest in AWS S3 (AES-256)
- Generates a vector embedding (Amazon Titan) for semantic search capability
- Sends the transcript to Claude (Anthropic, via AWS Bedrock) for structured analysis
- Extracts: summary, action items, key decisions, risks, sentiment, and proposed data updates
- Presents AI-generated suggestions to the user for explicit approval or rejection
- Stores approved changes in the project database; rejected suggestions are discarded
1.2 Scope of Processing
| Personal data processed | Names of meeting attendees and speakers, job titles, email addresses mentioned in transcript, opinions and statements attributed to named individuals, action item assignments |
| Special categories (Art. 9) | None intentionally processed. Transcripts may incidentally contain health references, trade union membership, or political opinions if discussed in meetings. Customers are advised not to upload transcripts containing special category data. |
| Data subjects | Meeting attendees, individuals discussed in meetings, individuals named in M&A deal context |
| Volume | Typically 1-10 transcripts per project per month, 1,000-50,000 words per transcript |
| Geographic scope | Global — Customers operate across jurisdictions. All processing occurs in US-East-1 (N. Virginia). |
| Retention | While Customer subscription is active. Deleted within 35 days of account termination (30-day export window + 5-day backup retention). |
1.3 Purpose of Processing
The processing serves the following legitimate purposes:
- Contractual necessity (Art. 6(1)(b)): The Customer has contracted for AI-powered meeting analysis as part of the Service. The feature is core to the product offering.
- Legitimate interest (Art. 6(1)(f)): Reducing manual effort in capturing meeting outcomes, improving project tracking accuracy, and enabling evidence-based integration management.
Processing is initiated only by explicit Customer action — uploading a transcript and clicking "Analyze." The system does not automatically record, transcribe, or process meetings.
1.4 Technology Description
| Component | Technology | Data Flow |
|---|---|---|
| Storage | AWS S3 (AES-256 encryption at rest) | Transcript text stored as .txt file |
| Embedding | Amazon Titan Embed Text v1 | First 8,000 chars → 1536-dim vector (stored in PostgreSQL pgvector) |
| AI Analysis | Claude Sonnet 4.6 via AWS Bedrock | Full transcript → structured JSON extraction |
| Network | AWS VPC private endpoint | No public internet transit — Bedrock accessed via private network |
| Results | Aurora PostgreSQL (encrypted) | AI output stored as JSONB with confidence scores |
2. Necessity and Proportionality Assessment
2.1 Necessity
Post-merger integration involves dozens of weekly meetings across multiple workstreams. Manually extracting action items, risks, and status updates from these meetings is time-consuming and error-prone. AI analysis reduces a 2-hour manual review process to under 2 minutes, with evidence-quoted source attribution for every extracted item.
Less intrusive alternatives considered:
- Manual-only extraction: Rejected — does not scale for large integrations (10-20 workstreams, weekly meetings each). The purpose of the Service is to automate this process.
- Keyword-only extraction (no AI): Rejected — insufficient accuracy for M&A-specific terminology. Keyword matching cannot identify nuanced action items, risk escalations, or sentiment.
- On-device processing: Not feasible — large language model inference requires GPU/accelerator infrastructure not available on end-user devices.
- EU-region processing: AWS Bedrock with Claude is not yet available in all EU regions. When available, EU processing will be offered as an option.
2.2 Proportionality
- Data minimisation: Only the transcript text is sent to the AI model. No user authentication data, billing data, or unrelated project data is included in the AI prompt.
- Purpose limitation: The AI model processes the transcript solely for structured extraction. It does not profile individuals, make automated decisions about individuals, or generate content about individuals beyond what is in the transcript.
- Human oversight: Every AI-generated suggestion requires explicit human approval before any data is changed. The system proposes; the user decides.
- No model training: AWS Bedrock does not use customer data to train, improve, or fine-tune any models. This is contractually guaranteed by AWS.
3. Risk Assessment
3.1 Risks to Data Subjects
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Unauthorised access to transcript content | Low | High | Encryption at rest (AES-256), in transit (TLS 1.2+), row-level security, VPC isolation, MFA, WAF rate limiting |
| AI misattribution of statements to wrong individuals | Medium | Medium | Confidence scoring on every extraction; evidence quotes allow verification; human approval required before data changes |
| Incidental processing of special category data | Low | High | Customer guidance not to upload transcripts containing special category data; AI does not attempt to extract or classify sensitive personal attributes |
| Data breach exposing transcript content | Very Low | High | Multi-layer security (WAF, VPC, RLS, encryption, CloudTrail); breach notification within 72 hours; incident response plan documented |
| Cross-tenant data leakage via AI model | Very Low | High | AWS Bedrock provides strict tenant isolation — each API call is independent with no shared context. No fine-tuning or model persistence between calls. |
| US government access to data (Schrems II concern) | Low | Medium | Encryption keys managed by AWS KMS; Standard Contractual Clauses in place; supplementary technical measures (VPC isolation, no public egress); transparency report commitment |
| Automated decision-making affecting individuals (Art. 22) | N/A | N/A | The system does not make automated decisions about individuals. All AI outputs are suggestions requiring human approval. No profiling, scoring, or automated consequences for data subjects. |
3.2 Residual Risk Assessment
After applying the mitigations described above, the residual risk to data subjects is assessed as LOW. The primary risk vectors (unauthorised access, data breach) are mitigated by industry-standard and above-standard security controls. The AI-specific risks (misattribution, cross-tenant leakage) are mitigated by the human-in-the-loop approval workflow and AWS Bedrock's tenant isolation guarantees.
4. Measures to Address Risks
4.1 Technical Measures
- Encryption at rest (AES-256) for all data stores (S3, Aurora, DynamoDB)
- Encryption in transit (TLS 1.2+ enforced with HSTS)
- Row-Level Security (RLS) at database level — strict tenant isolation
- VPC private endpoints — AI processing never traverses the public internet
- AWS WAF with OWASP rules, IP reputation, and rate limiting (50 req/5min on auth)
- Multi-factor authentication (TOTP, WebAuthn passkeys)
- CloudTrail audit logging with 90-day retention
- Automated backup with 35-day retention and point-in-time recovery
4.2 Organisational Measures
- AI Processing Notice displayed before transcript upload (informed consent)
- Human-in-the-loop: all AI suggestions require explicit approval
- Confidence scoring: each extraction includes a 0-1 confidence score
- Evidence quotes: every proposed update links to the source text in the transcript
- Data minimisation: only transcript text sent to AI — no extraneous personal data
- Right to deletion: users can delete individual meetings and transcripts at any time
- Account-level deletion: full GDPR Article 17 erasure within 35 days of termination
- Incident response plan: documented procedure with 72-hour notification commitment
- Sub-processor register: maintained and updated with 30-day notification for changes
4.3 Data Subject Rights
- Right of access (Art. 15): Data export available via Account Settings (JSON format)
- Right to rectification (Art. 16): Users can edit all project data including AI-generated content
- Right to erasure (Art. 17): Individual meeting deletion + full account deletion available
- Right to data portability (Art. 20): Full data export in machine-readable format
- Right to object (Art. 21): AI features can be disabled entirely; transcripts can be uploaded without analysis
- Right not to be subject to automated decisions (Art. 22): Not applicable — no automated decisions are made about data subjects. All AI outputs require human approval.
5. Consultation
5.1 Data Protection Officer
Given the size of the organisation (sole proprietor), a formal DPO appointment is not required under GDPR Article 37. However, data protection enquiries are handled by the Data Protection Contact at privacy@atlanticma.com.
5.2 Data Subject Consultation
Data subjects (meeting attendees) are not directly consulted as part of this DPIA. The Controller (Customer) is responsible for ensuring appropriate legal basis for uploading meeting transcripts, including informing meeting participants that transcripts may be processed by AI tools. The Processor provides the AI Processing Notice within the application to support this obligation.
5.3 Supervisory Authority
Based on the residual risk assessment (LOW), prior consultation with the supervisory authority under GDPR Article 36 is not considered necessary. This assessment will be reviewed if the processing changes materially or if the risk profile increases.
6. Review Schedule
This DPIA will be reviewed:
- Annually (next review: March 2027)
- When the AI model is changed or upgraded
- When the processing scope changes materially (e.g., automatic transcription added)
- When a data breach or near-miss occurs involving transcript data
- When relevant regulatory guidance is updated (e.g., EU AI Act implementation)
7. Conclusion
This DPIA concludes that the AI-powered meeting transcript analysis feature processes personal data in a manner that is necessary, proportionate, and adequately safeguarded. The combination of technical measures (encryption, VPC isolation, RLS), organisational measures (human-in-the-loop, consent notice, confidence scoring), and data subject rights (deletion, export, objection) reduces the residual risk to data subjects to a level that does not require prior consultation with the supervisory authority.
The key safeguard is the human-in-the-loop design: the AI suggests, the human decides. No automated decisions are made about data subjects, and no data is used for model training.
Lamb and Flag TopCo Corp (dba AtlanticM&A) · 159 N Wolcott St, Ste 133, Casper, WY 82601, United States
Version 1.0 · March 29, 2026 · Next review: March 2027